Ok, I managed to restart the IPA service by adding this line in the
file /etc/httpd/conf.d/nss.conf :
###
NSSEnforceValidCerts off
###
But when I do the getcert now I got the following result :
###
# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20140528063903':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=CA Audit,O=<MYREALM>
expires: 2018-04-09 11:39:16 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140528063904':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=OCSP Subsystem,O=<MYREALM>
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140528063905':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=CA Subsystem,O=<MYREALM>
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140528063906':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=IPA RA,O=<MYREALM>
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20140528063907':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=<IPA SERVER HOST>,O=<MYREALM>
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20140528063919':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction. Peer certificate cannot
be authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=<IPA SERVER HOST>,O=<MYREALM>
expires: 2016-05-28 06:39:18 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
<MYREALM>
track: yes
auto-renew: yes
Request ID '20140528063953':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction. Peer certificate cannot
be authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=<IPA SERVER HOST>,O=<MYREALM>
expires: 2016-05-28 06:39:52 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
PKI-IPA
track: yes
auto-renew: yes
Request ID '20140528064145':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: -504 (libcurl
failed to execute the HTTP POST transaction. Peer certificate cannot
be authenticated with known CA certificates).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=<IPA SERVER HOST>,O=<MYREALM>
expires: 2016-05-28 06:41:44 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
###
Indeed, the entries outdated are the following :
- for /etc/dirsrv/slapd-<MYREALM> : 20140528063919
- for /etc/dirsrv/slapd-PKI-IPA : 20140528063953
- for httpd ? : 20140528064145
Best regards.
Bahan
On Wed, Sep 14, 2016 at 6:28 PM, bahan w <bahanw042...@gmail.com
<mailto:bahanw042...@gmail.com>> wrote:
Ok :D
Because to perform the getcert list command, I need to have all
the ipa services running right ?
Here is the result of the command with the ipa services down.
###
# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20140528063903':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=CA Audit,O=<MYREALM>
expires: 2018-04-09 11:39:16 UTC
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140528063904':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=OCSP Subsystem,O=<MYREALM>
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140528063905':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=CA Subsystem,O=<MYREALM>
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20140528063906':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=IPA RA,O=<MYREALM>
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20140528063907':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='159203530658'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=<IPA SERVER HOST>,O=<MYREALM>
expires: 2018-04-09 11:38:16 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20140528063919':
status: MONITORING
ca-error: Error setting up ccache for local "host" service
using default keytab: Cannot contact any KDC for realm '<MYREALM>'.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-<MYREALM>/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-<MYREALM>',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=<IPA SERVER HOST>,O=<MYREALM>
expires: 2016-05-28 06:39:18 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
/usr/lib64/ipa/certmonger/restart_dirsrv <MYREALM>
track: yes
auto-renew: yes
Request ID '20140528063953':
status: MONITORING
ca-error: Error setting up ccache for local "host" service
using default keytab: Cannot contact any KDC for realm '<MYREALM>'.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=<IPA SERVER HOST>,O=<MYREALM>
expires: 2016-05-28 06:39:52 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
/usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
track: yes
auto-renew: yes
Request ID '20140528064145':
status: MONITORING
ca-error: Error setting up ccache for local "host" service
using default keytab: Cannot contact any KDC for realm '<MYREALM>'.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=<MYREALM>
subject: CN=<IPA SERVER HOST>,O=<MYREALM>
expires: 2016-05-28 06:41:44 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
###
Best regards.
Bahan
On Wed, Sep 14, 2016 at 6:21 PM, Martin Basti <mba...@redhat.com
<mailto:mba...@redhat.com>> wrote:
Then you have to start services manually, I don't know if the
same steps will work with IPA 3.0.0, I don't remember, but you
can try :)
On 14.09.2016 18:18, bahan w wrote:
Oh I forgot to add that my version of ipa is quite old :
###
# rpm -qa | grep ipa-server
ipa-server-3.0.0-25.el6.x86_64
###
When I try the command you gave me I got the following error :
###
# ipactl start --force
Usage: ipactl start|stop|restart|status
ipactl: error: no such option: --force
###
Best regards.
Bahan
On Wed, Sep 14, 2016 at 6:14 PM, Martin Basti
<mba...@redhat.com <mailto:mba...@redhat.com>> wrote:
On 14.09.2016 17:59, bahan w wrote:
Hello !
I send you this mail because I cannot restart my test
IPA server.
When I try to start it with service ipa start, I got the
following error message :
###
# service ipa start
Starting Directory Service
Starting dirsrv:
<MYREALM>...[14/Sep/2016:17:57:23 +0200] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for
cert Server-Cert of family
cn=RSA,cn=encryption,cn=config (Netscape Portable
Runtime error -8181 - Peer's Certificate has expired.)
[ OK ]
PKI-IPA...[14/Sep/2016:17:57:33 +0200] - SSL alert:
CERT_VerifyCertificateNow: verify certificate failed for
cert Server-Cert of family
cn=RSA,cn=encryption,cn=config (Netscape Portable
Runtime error -8181 - Peer's Certificate has expired.)
[ OK ]
Starting KDC Service
Starting Kerberos 5 KDC: [ OK ]
Starting KPASSWD Service
Starting Kerberos 5 Admin Server: [ OK ]
Starting MEMCACHE Service
Starting ipa_memcached: [ OK ]
Starting HTTP Service
Starting httpd: [FAILED]
Failed to start HTTP Service
Shutting down
Stopping Kerberos 5 KDC: [ OK ]
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping ipa_memcached: [ OK ]
Stopping httpd: [FAILED]
Stopping pki-ca: [ OK ]
Shutting down dirsrv:
<MYREALM>... [ OK ]
PKI-IPA... [ OK ]
Aborting ipactl
# service ipa status
Directory Service: STOPPED
Failed to get list of services to probe status:
Directory Server is stopped
###
Do you know how to renew the SSL certificate used for
the IPA Server ?
Best regards.
Bahan
Hello,
please run
# ipactl start --force
# getcert list (to detect which certificate is outdated,
I suspect DS cert (or to get more info why it has not
been renewed))
If getcert does work (I'm not sure if ti is able to work
without httpd), you probable need to move time back to
past where cert is valid, start IPA and try again.
Please find ID outdated certificate and try resubmit it
(CA and DS must be running)
# getcert resubmit -i 20160914122036 (use you ID :) )
This should renew cert, check status with getcert list
Move time back to future (if needed)
Try to restart IPA
Martin^2